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Abstract: 

Nowadays mobile phone and other handheld devices are in all the 
places. iPhone is having high security when compared to other 
Smartphone like MI, Samsung, Nokia, etc. With the continued to increase 
iPhone, curre ntly come with a wide range of software application, new 
technologies, and OS (Operating System). Therefore it becomes 
complicated for a forensic researcher to inspect the (evidence) proof 
from an iPhone proper intelligence of forensic equipment and their 
features are mobile forensic analysis and different types of equipment for 
mobile forensics and the final section of the manuscript presents the 


exploratory results of the tool IMYFONE D-BACK. 
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1. INTRODUCTION 

“Digital forensics is a division of forensic science focused 
on recovery and analysis of artifacts found on digital devices. Any 
equipment that storing data (E.g. Macintosh, Macbook, iPhone, 
Flash drives, Micro SD cards or External Hard-Disks) are within 
the ambit of digital forensics” [15]. 

Today’s Smartphones such as the Apple iPhones [17] and a 
bulk variety of smartphone [18] are compact forms of powerful 
computers with high work involving nearly a Multi-core CPUs, GB 
of storage, and improved communication facilities such as software 
assisted GPS. As new features and applications are integrated into 
Smartphone amount of data stored on the devices is always 
growing. Smart application business has twisted the Smartphone 
into handy data carriers, and they keep follow of almost all moves 
of the user. Prevalence of Smartphone in everyday lives had led to 
their popularity in daily crimes. Thus the digital information 
acquired from smart devices has become one of the prime sources 
of proof for investigating the problems pertained to data 
acquisition. 

In this context, the term “Smart Devices” refers to a broad 
spectrum of devices which have communication facilities and 
storage facility for digital data. There are international guidelines 
for the acquisition and examination of smart devices that are 
primarily targeted towards the preservation and non-contamination 
of digital data in smart devices. 

The best instance of Smartphone used as a terror missile to 
finish the crime is the Mumbai terrorist ambush in 2008 [20]. The 
terrorist has taken the full benefit of being a part of the Smartphone 
generation. They connected electronically through smartphones to 
each other and with their controllers at every stage of their 
operation. This attack is not the first time that Smartphone are used, 
but the way they were performed is important and revealing. In 
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such cases, a large amount of data can be extracted and used as 
forensic proof from these devices. The mobile devices evolved at 
an explosive rate. There are many hardware and _ software 
components used in this industry. The data quantities which can be 
stored on modern mobile devices are enormous. Application 
specific data may be stored on mobile devices. The investigation 
method and tool used to communicate with the mobile device can 
often invalidate the proof in court because it can affect the integrity 
and repeatability of the proof [5]. Forensically sound is the terms 
used to approve the use of specific forensic technology or 
methodology in the digital forensic circles. 

The fundamental concept of sound forensic examination of 
digital proof is that the original proof is not altered. With mobile 
devices, this is extremely difficult. Most forensics required a duplex 
channel of communication with the mobile device and therefore the 
device cannot be protected against writing during forensic 
acquisition. Other methods of acquiring proof may include 
replacing the bootloader software on the mobile device or replacing 
a chip to facilitate access to proof. 

When changing the device, the process and the resulting 
change need to be validated and documented. As with any 
collection of proof, failure to follow the proper procedure during 
the examination may lead to the loss or damage to proof or make it 
as inadmissible in court. All these challenges makes difficult to use 
digital forensic analysis tools on mobile devices. It should be noted 
that ISO 27037 specification “Detection, collection and/or 
acquisition and preservation guidelines for digital evidence” (2012) 
defines methods and techniques accepted in many jurisdictions in 
digital forensics [12]. 
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2. SMARTDEVICES & PROOF PRESERVATION 

The collection of proof at the crime site shall include the 
preservation of the state of the devices: 

1. A switched ON device must be kept on 

2. It must be protected from external WiFi signals while 
maintaining the state of the WiFi status of the phone. 

3. It should be isolated from telecommunication signals (like 
4G, LTE, etc.) 

4. GPS signals must be isolated. 

5. IT battery should be charged (preferably at the same level 
of the battery) 

If a mobile device on a crime site is not isolated from all 
such factors listed above, it will become very easy for the attacker 
to gain access to the device and lock or destroy all proof in it. This 
is usually done the facilities provided by the iphone, such as iOS 
from Apple. Figure 1 Shows how easy it is for the owner (the 
criminal in this case) to remotely locate, access, lock, and delete a 
typical iPhone. 
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Fig 1: Remotely Track and erase iPhone with iCloud 
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Fig 2: Workflow of mobile forensics 


The digital forensic of iPhone process (Based on the Figure 
2) can be divided into several categories, 


3.1. CAPTURE, ISOLATE AND IDENTIFY 

At the time of the seizure, it is important to document with 
photos the various mobile state information —including not to the 
current (on or off) and the locking status, presence or absence of 
Memory Cards, etc. All hardware and software accessories 
including cables, chargers, subscriber identity module (SIM) card 
data, personal identification number (PIN) hints or passwords are 
collected as well. As already shown, it is essential to protect the 
device from communicating with external agencies-including 
phone calls (but not limited to), short message service (SMS), 
Wireless Fidelity (WiFi), Bluetooth and Global Positioning System 
(GPS). 
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During the collection of proof, a phone call or SMS or an 
email may overwrite the previous ones. An iPhone which can be 
accessed via the internet can easily be remotely wiped. Thus, the 
following equipment, such as a faraday bag and/or radio jammer, 
must be used to prevent all electromagnetic communication with 
the device. Phone features such as “Airplane mode” can also be 
used many times to prevent radio communications to foreign 
countries. Functions such as “stay awake” can also be used to keep 
the iPhone unlocked (display turned on). 

3.2. ACQUISITION OF PROOF 

Data extraction from SIM requires hardware tools such as 
PC/SC Reader that acquires GSM 11.11 data on the device’s 
internal memory (E.g. a Memory Chip) can be copied bit by bit 
from a whole physical store. This allows the deleted files and any 
remaining data to be examined, which would otherwise not be 
accounted for. The other copying method for logical entities such as 
files and directories may prove to be a simpler method during the 
examination. There are various software tools for extracting data 
from the memory. 

Specialized forensic software products can be automated or 
generic file viewers, like hex editors, are available. Some specialist 
tool includes access the data for memory image analysis. Since one 
tool cannot extract all the information, it is often recommended that 
two or more tools be used. When the acquisition becomes more 
forensically sound, tools become more costly, analyses are longer 
and tools require more training. 


3.3. REVIEW, ANALYSIS AND REPORTING 
1. Logical acquisition: A bitwise copy of logical storage 
objects such as directories and logical storage files (E.g. A 
partition of the file system). 
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2. Manual acquisition: This method uses the mobile User 
Interface (UI) to scan the contents of the iPhone’s memory. 
3. Metadata acquisition of the system file: When user data is 
organized in a database, it is called META data. Such 
META databases may provide valuable information on the 
use of the device; E.g. Call is a simple SQLite database file 
4. iniOS. 
5. Physical acquisition: It is the binary dump of the entire file 
system. This may contain information on existing or deleted 


system file objects. 

6. Acquisition of brute: it is used to extract passwords or 

PINs. Brute force tools are connected data as a password or 

PIN until successful. It takes time but often depends on the 

complexity of the original password or PIN. 

On iPhone’s, the acquisition of proof is greatly simplified 
once the IMYFONE D-(IMDB) with iTunes is enabled. This option 
is probably the best tool for the forensic surveyor when extracting 
data from an iOS, without affecting or altering the telephone status. 
You can find this option in settings development of nearly all 
iPhones. 

iOS software development kit (SDK) includes [19] this 
powerful IMDB tool to communicate via USB and WiFi with the 
IMDB-enabled iPhone. Most of the above information can be 
accessed from the desktop of the investigator using IMDB. Please 
note that 99 percent of IMDB’s Features can be used to access the 
iphone without root, making IMDB one of the best tools for 
collecting and analyzing iPhone forensic as shown in Figure 3a, 3b. 
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FEATURES IN IMDB 
IMDB is the best tool for forensic analysis. 
1. Recover from iOS device 
This mode can be used to recover the recently deleted data from 


the iOS devices Via USB device as shown in Figure 4. 


Recover from iOS Device 


an 105 device 


Fig 4: Recover data from iOS device in IMDB 


2. Recover from iTunes backup 
This mode can be used to recover the recently deleted data from 


the iTunes via cloud with high probability as shown in Figure 5. 
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Recover from iTunes Backup 


Fig 5: Recover data from iTunes in IMDB 


3. Recover from iCloud backup 
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7. FIXiOS SYSTEM 


Fix various iOS issues & get your devices to normal with the help 


of IMDB as shown in Figure 7. 


iat Device Back to Normal 


Fig 7: Fix iOS device issues in IMDB 


ii. Standard mode 

Fix the white/black screen, device stuck on apple logo/recovery 
mode, restarting loops, iTunes errors, bricked iOS devices, freezing 
screen, not turning on and more without data loss. 


ii. Exit recovery mode 
Quick fix 10S mode if you forgot the password for screen lock, or 
you fail to fix 10S issues with standard mode. 


iii. Advanced mode 


Choose this mode if you forgot the password for screen lock, or 
you fail to fix iOS issues with standard mode. 
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RESULT AND ANALYSIS 

Once proof is acquired (as described above in many forms), the 
following are the most common logical entities which are the potential 
proof source in a mobile device. i.e. These are the possible logical 
entities to be investigated in a mobile device as shown in Figure 7a, 
Figure 7b, Figure 7c, Figure 7d, figure 7e, Figure 7f, Figure 7g, Figure 
7h, Figure 71, Figure 7j, Figure 7k, Figure 71, Figure 7m, Figure 7n. 
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Two types of forensic investigations are possible with the proof data. 
1. A crime has already taken place and the identity of the criminal 
(E.g. hacking incident) is unknown. 
2. The crime and the criminal are both known (E.g. child 


pornography investigation). 
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Fig 7a: Connecting iPhone in IMDB 


You have to “Trust” the computer fram your device i order to connect your davice successfully 


Please follow the instructions below 
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Fig 7d: Data recovering from iPhone 
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Fig 7i: Whatsapp Attachments 


Fig 7j: Available & Deleted Whatsapp attachment Photos 
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Fig 7I: Available & Deleted Whatsapp attachment Audios 
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Fig 7m: Available and deleted Calendar details 
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Prepared against the background of the incident and the proof collected 
[6], the forensic expert can pursue the following goals: 
1. Who all are involved: collect information of the people 
involved in crime. 
2. What is the nature of the events? 
3. When did the crime-related events occur? 
4. Why did the delinquent commit the offense? 
5. What are the tools and methods used by offenders to carry out 
the offense? 


CONCLUSION 

Mobile forensic is the digital forensic branch that acquires and 
analyses mobile devices to detect and retrieve digital proof. We have 
studied forensic literatures using iPhone and identified the methods and 
studies carried out in this field, regardless of the types of the system used 
and the few tools already in common use. In this paper, we identified the 
mobile forensic workflow and the methods for acquiring and 
documenting proof for future use. 
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